Today it was widely reported, including on Computerworld, that Morgan Stanley claimed millions of their emails requested for arbitration were destroyed during the 9/11 terrorist attacks. The National Association of Securities Dealers (NASD) accused Morgan Stanley of in fact having the emails on backup media the entire time.
A couple of excerpts from the Computerworld report:
“Morgan Stanley responded that it has tried to reach a “fair and appropriate” settlement of the NASD complaint, but the regulator made “disproportionate and unprecedented demands.” As a result, it will litigate the matter, Morgan Stanley said. Under the regulator’s rules, companies or individuals named in its disciplinary complaints can request a hearing before a three-member panel comprising a professional hearing officer and two members of the securities industry. If the panel decides against Morgan Stanley, it could face a fine, censure or some other remedial action.”
“NASD head of enforcement James Shorris said he viewed the case as “unprecedented,” citing the period involved — from September 2001 until March 2005 — as well as the millions of e-mails involved. The NASD complaint follows the investment bank’s settlement in May of allegations by the U.S. Securities and Exchange Commission that the company failed to produce tens of thousands of e-mails during SEC investigations from late 2000 to 2005. Morgan Stanley agreed to pay $15 million to settle those allegations and agreed to adopt policies and training practices on e-mail preservation and production, although it neither admitted nor denied the allegations. Among other brushes with regulators, the securities firm was fined by the NASD for “widespread” violations of rules relating to stock and bond trades from 1999 and for failing to include necessary disclosures in research analyst reports. In June, Morgan Stanley also agreed to pay $10 million to settle SEC charges that it failed to maintain proper procedures against possible insider trading.”
I’ve seen lack of communication and coordination between departments within many organizations. It’s very possible that the folks who were communicating with the SEC about the emails were not communicating with the folks responsible for making backups of the emails, or the folks responsible for records retention. It sounds as though they did not have policies or training about email and related retention, though, based uppon their agreement to create them.
Organizations definitely need to have policies governing the security and management of their information in all forms. However, they cannot stop there, but unfortunately often do. They need to ensure all stakeholders within the organization know and understand the policies, that appropriate procedures and standards are created to support the policies, and that ongoing training and awareness for them takes place.
It is important that all key players know and understand about how information is managed and to also manage it appropriately according to the procedures and standards. Remember, policies are generally descriptive in nature, describing a goal. Procedures and standards are prescriptive in nature, prescribing how to meet that goal. For email retention, everyone with responsibilities for email management in one form or another, including representing the company when discussing litigation or other legal actions related to email, needs to know and understand not only the company’s email policies, but also the supporting procedures and standards.
Email retention is going to become a more of an issue for organizations now that the amendments to Federal Rules of Civil Procedure went into effect on December 1, 2006. I wrote about the impacts this would have on businesses in the November issue of the Computer Security Insitute (CSI) Alert newsletter.
I’ve discussed the issue of email retention with several organizations. The following is an example of a question I got from one of my blog readers on this topic (thanks John!):
“Hi, I need to know the laws in Connecticut pertaining to ‚ÄúEmail Retention Compliance‚Äù. I am interested in knowing the rules for a non-financial small business. Any help would be greatly appreciated. Thanks‚Ķ”
Interesting question. All organizations need to be aware of the numerous U.S. federal laws and regulations that have retention requirements that cover email. John, be sure your organization is in compliance with those. I wrote and posted a paper on this topic a few months ago, “The Business Leader Data Retention and E-Discovery Primer; take a look at that.
Regarding Connecticut law specifically, if you want to see the retention schedules for all Connecticut state agencies, see the “Records Retention Schedules for State Agencies.” I’m not aware of any other state specific laws in Connecticut that would apply to email retention for non-government agencies, though. However, there very well could be! I’ll post again if I find something, but in the meantime check with your legal counsel.
Tags: awareness and training, corporate governance, e-discovery, email retention, Information Security, IT compliance, privacy, retention law